RHSA-2026:40138HighCVSS 8.7

Red Hat Security Advisory: Red Hat Advanced Cluster Management for Kubernetes v2.11.10 security update

Published
July 15, 2026
Last Modified
July 16, 2026

🔗 CVE IDs covered (16)

📋 Description

CVE-2025-9288 — sha.js: Missing type checks leading to hash rewind and passing on crafted data CVE-2025-13465 — lodash: prototype pollution in _.unset and _.omit functions CVE-2026-21721 — grafana/grafana/pkg/services/dashboards: Grafana Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation CVE-2026-22029 — @remix-run/router: react-router: React Router vulnerable to XSS via Open Redirects CVE-2026-25639 — axios: Axios affected by Denial of Service via proto Key in mergeConfig CVE-2026-42508 — golang.org/x/crypto/ssh/knownhosts: golang: golang.org/x/crypto/ssh/knownhosts: Revocation bypass via unchecked SignatureKey CVE-2026-44486 — axios: Axios: Information disclosure of proxy credentials via HTTP redirects CVE-2026-44487 — axios: Axios: Information disclosure of proxy credentials via redirect flows CVE-2026-44488 — axios: Axios: Denial of Service due to unenforced request and response size limits CVE-2026-44492 — axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization CVE-2026-44494 — axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution CVE-2026-44495 — axios: Axios: Information disclosure due to prototype pollution vulnerability CVE-2026-44496 — axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name CVE-2026-44990 — sanitize-html: sanitize-html: Stored Cross-Site Scripting via HTML sanitizer bypass CVE-2026-46384 — github.com/hamba/avro/v2: github.com/linkedin/goavro/v2: Integer Overflow in Avro Decoder CVE-2026-46385 — github.com/hamba/avro/v2: github.com/linkedin/goavro/v2: CPU Exhaustion in Avro Decoder via Unbounded Block-Count Iteration

🔗 References (20)